ThreatExpert Report: Bloodhound.Malautoit, Mal/Espion-B

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 11 August 2012, 23:40:36
Processing time: 11 min 20 sec
Submitted sample:

File MD5: 0xE73378C347E30457FDBC021D70E6923E
File SHA-1: 0xA90148DA5C942F2649ABBBC59E806F541BBD7484
Filesize: 687,426 bytes
Alias:

Bloodhound.Malautoit [Symantec]
Mal/Espion-B [Sophos]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\systeme32\msn.exe %ProgramFiles%\systeme32\msn.exe	374,538 bytes	MD5: 0xBB671B12EB6DDA1ACF6BCE881CF11B63 SHA-1: 0xEFFD46760ACE59DB592AFB849AC42E515A7E6D13	Bloodhound.Malautoit [Symantec] packed with UPX [Kaspersky Lab]
2	%AppData%\systeme32\skype.exe %Windir%\msn.exe %Windir%\systeme32\skype.exe %Windir%\~olojdgw.exe	374,919 bytes	MD5: 0x18F53EF8FD70612330ED7D600E8784AA SHA-1: 0x34E612488C0866F618A599CC338D3C47447FDACE	Bloodhound.Malautoit [Symantec] packed with UPX [Kaspersky Lab]
3	%Windir%\skype.exe	375,300 bytes	MD5: 0xC63C9E5100E17FA6A2666341ED070278 SHA-1: 0x7379A43AFAE1AA6244889AFD552EDBD4B4DFF97E	Bloodhound.Malautoit [Symantec] packed with UPX [Kaspersky Lab]
4	[file and pathname of the sample #1]	687,426 bytes	MD5: 0xE73378C347E30457FDBC021D70E6923E SHA-1: 0xA90148DA5C942F2649ABBBC59E806F541BBD7484	Bloodhound.Malautoit [Symantec] Mal/Espion-B [Sophos] packed with UPX [Kaspersky Lab]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%AppData%\systeme32
%ProgramFiles%\systeme32
%Windir%\systeme32

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
msn.exe	%Windir%\msn.exe	745,472 bytes
~olojdgw.exe	%Windir%\~olojdgw.exe	36,864 bytes
skype.exe	%Windir%\skype.exe	36,864 bytes
skype.exe	%Windir%\systeme32\skype.exe	36,864 bytes
~olojdgw.exe	%Temp%\~olojdgw.exe	36,864 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	741,376 bytes
msn.exe	%ProgramFiles%\systeme32\msn.exe	36,864 bytes

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{07A5AEC1-B5C7-032D-50A8-5238F55F0FB1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{130DA77E-95A0-D4D7-C896-FC5F4A3A0920}
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost9999
HKEY_LOCAL_MACHINE\SOFTWARE\skype1111
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Bifrost9999
HKEY_CURRENT_USER\Software\skype1111

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{07A5AEC1-B5C7-032D-50A8-5238F55F0FB1}]

stubpath = "%ProgramFiles%\systeme32\msn.exe s"

so that msn.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{130DA77E-95A0-D4D7-C896-FC5F4A3A0920}]

stubpath = "%AppData%\systeme32\skype.exe s"

so that skype.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost9999]

nck = DA 1F ED 2F CC 44 A2 32 74 C3 CD 74 FA 93 5B 67

[HKEY_LOCAL_MACHINE\SOFTWARE\skype1111]

nck = E4 2C D8 1E 94 44 A2 32 74 C3 CD 74 FA 93 5B 67

[HKEY_CURRENT_USER\Software\Bifrost9999]

klg = 00

[HKEY_CURRENT_USER\Software\skype1111]

klg = 00

Other details

Analysis of the file resources indicate the following possible country of origin:

United Kingdom

To mark the presence in the system, the following Mutex objects were created:

skype12
Bif1999

The following Host Names were requested from a host database:

athmane.no-ip.biz
sami24.no-ip.biz

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
athmane.no-ip.biz	81
sami24.no-ip.biz	81

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 81:

00000000 | 0401 0000 994F B271 E274 8C02 5AF2 B107 | .....O.q.t..Z...
00000010 | 9BFE 321B 4929 A67C 3A33 3AA1 E9E4 3029 | ..2.I).|:3:...0)
00000020 | 086A A5B8 CD4F 79A2 D8F5 A5E2 6EEE 55F8 | .j...Oy.....n.U.
00000030 | 06F8 2BC6 E874 556D C0CC 0804 9322 4B27 | ..+..tUm....."K'
00000040 | 1D0A 2F4A 9CC8 82BA 090C 162A FF2F 71C0 | ../J.......*./q.
00000050 | C6D0 689B 0967 5511 E3ED 1EF7 0CA5 4DB1 | ..h..gU.......M.
00000060 | 83B6 B291 3E18 EA71 77F2 09B4 9086 4D9D | ....>..qw.....M.
00000070 | 6749 5A85 A8A7 BD66 618C 6230 E3C5 1C3E | gIZ....fa.b0...>
00000080 | 7DE8 45EE 69B9 20C0 27D1 0D57 8F4F 1599 | }.E.i. .'..W.O..
00000090 | 0EEA BD37 58F7 2FD2 3D55 9DE3 73E1 BEE7 | ...7X./.=U..s...
000000A0 | 5A46 7EE6 A78E 10EC 808B 739D 964A D6AA | ZF~.......s..J..
000000B0 | A7DD D43B D33A 8156 8F8D 0C8D 1599 23C0 | ...;.:.V......#.
000000C0 | 5409 D718 3C44 32EA 87D0 7AF1 B5C6 B19C | T...<D2...z.....
000000D0 | 4387 98DE 6743 7CE8 F20C 13BB 7048 6721 | C...gC|.....pHg!
000000E0 | 4522 EF43 4F06 F541 EFF6 79C7 AAAD 9DE0 | E".CO..A..y.....
000000F0 | 47DE 4EAD 2FDA D6C6 342C A828 38DA DE0C | G.N./...4,.(8...
00000100 | F52D 5948 BD28 F341                     | .-YH.(.A

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.